The Danger of Default Passwords

It’s not just computers that get hacked these days — researchers from Israel’s Ben-Gurion University of the Negreb are sounding the alarm on fundamental vulnerabilities in smart home devices. A new report in the journal Smart Card Research and Advanced Applications by school’s team at the Implementation Security and Side-Channel Attacks Lab found that it’s startlingly easy to uncover serious security risks in devices like baby monitors, home security cameras, doorbells, smart locks, and thermostats.

The researchers examined 16 off-the-shelf smart home gizmos to see if they could crack them. Out of these 16 devices, they were able to find the password for 14 of them while the majority of the devices were able to be accessed within 30 minutes and attached to a botnet. They originally set out to disassemble the devices and reverse-engineer them before they discovered that the easiest method was simply to track down the default factory-set passwords.

“You only need physical access once,” said Dr. Yossi Oren, who heads up the cybersecurity lab. “Once you buy one copy of a make and model of a camera and you attack it in your lab, you get information which will allow you to attack this make and model anywhere remotely,” he said.

In addition to uncovering these security faults, the researchers also put together a number of tips to keep smart home devices, families ,and businesses more secure. Their protocols include:

Buy IoT devices only from reputable manufacturers and vendors.

Avoid used IoT devices. They could already have malware installed.

Research each device online to determine if it has a default password and, if so, change it before installing.

Use strong passwords with a minimum of 16 letters. These are hard to crack.

Multiple devices shouldn’t share the same passwords.

Update software regularly.

Carefully consider the benefits and risks of connecting a device to the internet